0

I have some of my Drupal website contents exposed through a Json rest service. To access them I perform an http request with the Basic Auth protocol (i.e., adding the Authorization header).

My problem is that this website must be published in a folder protected by the AuthUserFile method (i.e., the .htaccess + .htpasswd). Both methods require the same request header "Authorization", so i have no idea how to put them both on the request.

A request example would be:

curl -X GET \
http://exmple.com/restendpoint \
-H 'Authorization: Basic YWRtaslkdskdfhlskdjfgksdfgjpbmlzaA==' \
-H 'Content-Type: application/json'

Now, this request (given the corresponding credentials) works if I have only .htaccess authentication, or if I have only website authentication, but not both. I also tried to set same user and password for both the mechanism, but this doesn't work, I always can't access the content.

Is there any way to make these two mechanisms coexist?

donnadulcinea
  • 1,854
  • 2
  • 25
  • 37
  • Hey donnadulcinea, I'm facing the same issue and I'm wondering if you solved this issue? – Andreas Mar 05 '20 at 14:51
  • No, I never pointed out how to solve this. And this question has still 0 votes, maybe the solution is naive and I couldn't see it. – donnadulcinea Mar 06 '20 at 15:09
  • I had this issue with a webshop and found a documentation on their website that in those cases you need to have an free ip route in your htacces file so you can have only one active authentication. – Andreas Mar 06 '20 at 19:10
  • Actually, when I needed I did exactly this to bypass the issue, pointing services to another address on the same ip with no conf restriction. But if this is the only solution I think this is a big flaw of the http query protocol. – donnadulcinea Mar 08 '20 at 10:14
  • I don't feel that way, because it's one request and you shouldn't be able to include 2 different authentications into one single request, that would make things very complicated. – Andreas Mar 09 '20 at 08:52

1 Answers1

0

It is by definition not possible to include two different sets of credentials to a single request. Therefor you need to avoid multiple authentication requests by e.g. ip wildcards for your htaccess file.

Andreas
  • 294
  • 1
  • 14